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Whontx ™ and Tor Limitations oe 


Whonix ™ comes with many security features !#"°"’*], Whonix ™ is Kicksecure ™ security hardened by default and also provides 
extensive Documentation including a System Hardening Checklist. The more you know, the safer you can be. 





Whonix ™ developers have done their utmost to provide solid tools which protect online privacy, but no perfect solution exists to the ùri ——_ ine 
complex anonymity problem. Before deciding whether Whonix ™ is the right platform to use, it is crucial that each individual | . x 
understands the limitations of the tools offered and how to make best use of them. 
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Anonymous Identities ra 


Whonix ™ does not Separate Different Contextual Identities tss 


It is usually inadvisable to use the same Whonix-Workstation ™ to perform more than one task, or when using two (or more) contextual identities that must be kept separate from 
each other. For example, it is poor operational security to use the same Whonix-Workstation ™ to check email via Tor, while simultaneously publishing an anonymous document. 
The first reason is Tor tends to reuse the same circuits, for example during the same browsing session. The Tor exit relay of a circuit knows both the destination server (and 
possibly the content of the communication if not encrypted) and the address of the previous relay it received the communication from. This makes it easier to infer that several 


browsing requests which took place on the same circuit are possibly correlated and originate from the same person. Global adversaries described later are in the perfect position to 
undertake this form of correlation analysis. 

Secondly, if Whonix ™ or one of its applications has a security hole or is misused, then information might leak from the Whonix-Workstation ™. That could reveal that the same 
person was behind the various activities conducted inside the Whonix-Workstation ™. 

To address both threats, better isolation of new identities is required on every occasion they are used. It is recommended to conduct one activity at a time, and implement one or 
more of the following solutions: !"! 


e Multiple VM Snapshots. 
e Multiple Whonix-Workstation ™. 
e DisposableVMs in Qubes-Whonix ™. 


A Nyx's "New Identity" button sends the protocol command "signal newnym" to Tor's ControlPort. A new Tor exit relay and a new IP address is likely, but this is not 


guaranteed. 





Using this feature, Tor may only have replaced the middle relay while using the same Tor exit relay. Additionally, "signal newnym" will not interfere with long-lived connections like 
an IRC connection. Apart from the Tor circuits, other types of information can reveal past activities, for example the cookies stored by the browser. Therefore, this arm feature is not 
a solution for properly separating contextual identities. 


Whonix ™ does not Protect Against Social Engineering ta 


Whonix ™ does not protect against social engineering [ehe] attacks. These attacks rely on human cognitive biases and trick people into revealing passwords or other sensitive 
information that allows the compromise of a target system's security. l”! 

Other examples of social engineering include convincing someone to send a copy of logs or other information from the Whonix-Gateway ™ or host operating system machine. In 
all cases, after trust has been established between the attacker and the victim, and sufficient information has been gathered, an exploit will be executed to perform harmful actions 
such as stealing personal or financial information, sabotaging the target's system, deanonymizing the individual and so on. !! 

The best tools in maintaining anonymity are the knowledge that comes from research and experience, and healthy skepticism towards scenarios that pose potential security 
threats. 


Dedicated wiki page: Social Engineering. 


Whonix ™ does not Protect Against External Threats or User Mistakes cai 


Obviously, Whonix ™ cannot protect against external threats like people looking over the user's shoulder or gaining physical access to the machine in order to subvert the 
anonymity features of Tor and Whonix ™. 


Neither can Whonix ™ prevent people from shooting themselves in the foot, leading to inadvertent deanonymization. It is strongly encouraged to read the Tips on Remaining 
Anonymous page to learn about non-technical steps to stay anonymous when using Tor, Tor Browser and Whonix ™. This list considers: 


e How to protect sensitive data and communications. 
e Safe use of social networks. l 
! a e Safe Tor networking considerations. 
e (Mobile) phone verification. l l 
l , e The danger of random files and links. 
e Personal websites and links. Thea ~~ v i P 
e The difference between anonymity and pseudonymity. 
e Accounts previously used without Tor. E lil P es 
e The danger of mixing clearnet and Tor simultaneously. 
e Banking / financial provider accounts. 
. e The consequences of changing settings. 
e Modes of anonymity. Š : 
e Server connections. 
e The risks posed by identifying data and online identities. 


e When to use bridges. 


Only Whonix-Workstation ™ is Designed for Anonymous Activity ta 


A All anonymous activity should only take place inside Whonix-Workstation ™ and nowhere else. 





The host operating system -- the operating system running the virtualizer, and the system which was used before downloading Whonix ™ -- is not "torified". Anonymous tasks 
should never be performed on the host system. 


The Whonix-Gateway ™ is solely designed to run Tor and act as a firewall. Any "anonymous" activities should not be conducted on the Gateway. Further, in most cases there is no 
need to modify settings on the Whonix-Gateway ™, except for minor modifications like setting up bridges which is already documented. 


Attacks «xi 
Man-in-the-middle Attacks teaiy 


A man-in-the-middle attack (MitM) is a where an attacker makes independent connections with two parties and secretly relays (and potentially alters) messages between them. 
This is a form of active eavesdropping, since the two parties think they are communicating directly with each other and are unaware the conversation is being controlled by the 
attacker. [3l 


Figure: /I/ustration of a MitM Attack 
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While using Tor, MitM attacks can still happen between the exit relay and the destination server. The exit relay itself can also act as a man-in-the-middle. For an example of such an 
attack see MW-Blog: TOR exit-node doing MITM attacks l@rchive] (w larchivel), It is worth reiterating that protecting against these attacks requires end-to-end encryption and taking 
extra steps to verify the server's authenticity. 

Normally a server's authenticity is automatically verified by the browser using SSL/TLS certificates ["°hive] which are checked against a set of recognized certificate authorities 
(CAs) [archive], If a security exception message appears like the figure below, then this might constitute a MitM attack. The warning should not be bypassed unless there is another 
trusted way of checking the certificate's fingerprint with the people running the service. 


Figure: An Untrusted Connection 
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Normally, when you try to connect securely, sites will present trusted identification to prove that 
you are going to the right place. However, this site's identity can't be verified. 


What Should | Do? 


if you usually connect to this site without problems, this error could mean that someone is trying 
to impersonate the site, and you shouldn't continue. 
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Mozilla has an educational resource to help determine if a connection to a website is secure [erehive], (w larchivel) The Electronic Frontier Foundation (EFF) also has an excellent 
interactive illustration !#"°'"¢l that provides an overview of HTTP / HTTPS "! connections with and without Tor, and what information is visible to various third parties. 


The Fallible Certificate Authority Model tea 


Unfortunately, the vast majority of Internet encryption relies on the CA model of trust which is susceptible to various methods of compromise. Ultimately, encryption in and of itself 
does not solve the authentication problem in electronic communications, as seen in the actions of advanced adversaries who have targeted and undermined this central pillar upon 
which the Internet relies. 


For example, Verisign was hacked successfully and repeatedly [chive] in 2010, with the likely conclusion being the attackers were able to forge certificates for an unknown number 
of websites. 


A more glaring example was the confirmation by Comodo on March 15, 2011, that a user account with an affiliate registration authority had been compromised. This is a privacy 
and security disaster since Comodo is a major SSL/TLS [chive] company and the breach led to the creation of a new user account that issued nine certificate signing requests for 
seven domains: mail.google.com, login.live.com, www.google.com, login.yahoo.com (three certificates), login.skype.com, addons.mozilla.org, and global trustee. [5] 


Later in 2011, DigiNotar, a Dutch SSL certificate company, incorrectly issued certificates to a malicious party or parties. It later emerged that DigiNotar was apparently compromised 
months before, or perhaps even in May of 2009, if not earlier. Rogue certificates were issued for multiple domains, including: google.com, mozilla.org, torproject.org, 
login.yahoo.com and many more. l! 


Considering the frequency of attacks and the passage of time, there is a distinct possibility that a MitM attack might occur even when the browser is trusting a HTTPS connection. 
[7] 


SSL/TLS Alternatives eai 


Depending on your personal circumstances, there are alternatives to SSL/TLS which can be considered. Unfortunately, none of them can be used as a drop-in replacement for 
SSL/TLS. Tools providing connection security include: Monkeysphere [archive], Convergence "hel Perspectives Project lrehivel and Tor onion services. l! 


Using Tor does not magically solve the authentication problem. Tor's distinct advantage is that by providing anonymity, it is more difficult for attackers to perform a MitM attack with 
a rogue SSL/TLS certificate that is targeted at just one specific individual. However, the disadvantage of Tor is that it is easier for people or organizations running malicious Tor exit 
relays to perform a large scale MitM attempt. Further, malicious exit nodes could perform attacks targeted at a specific server, and especially those Tor clients who happen to utilize 
the service. 


In all cases, it is advised to use additional message encryption for email, chats and so on. It is unwise to rely on SSL/TLS alone. Relevant tools that may be useful include: 


e Encrypted messengers. 

« GPG [archive] 

e KGpg. 

e Mozilla Thunderbird for anonymous, encrypted email. 


[9] 


Tor Network Attacks [edit] 


Tor is not invulnerable to attacks. Several techniques are already used for deanonymization and Whonix ™ users can be similarly affected -- some of these attacks are described in 
further detail below. Interested readers can also refer to the Speculative Tor Attacks entry for a more comprehensive list of potential attacks against the Tor client, servers and/or 
network. 


Confirmation Attacks eain 


A confirmation attack targets the broader Tor network itself, usually via multiple malicious Tor nodes. In this instance, the adversary controls or observes relays at both ends of the 
Tor circuit (the guard and exit relays). Comparisons are made of traffic timing, volume and other characteristics to confirm the relays share the same circuit. Since the first entry 
guard knows the user's IP, and the last exit relay knows the destination/resource accessed (like a webpage), this leads to deanonymization. !"°! 


In a 2009 blog post, The Tor Project described this threat of deanonymization under specific conditions [nivel [11] 


The Tor design doesn't try to protect against an attacker who can see or measure both traffic going into the Tor network and also traffic coming out of the Tor network. That's because if you can see 
both flows, some simple statistics let you decide whether they match up. 


That could also be the case if your ISP (or your local network administrator) and the ISP of the destination server (or the destination server itself) cooperate to attack you. 


Tor tries to protect against traffic analysis, where an attacker tries to learn whom to investigate, but Tor can't protect against traffic confirmation (also Known as end-to-end correlation), where an 
attacker tries to confirm a hypothesis by monitoring the right locations in the network and then doing the math. 


Traffic Analysis tea 


Adversaries conducting traffic analysis are able to discover a varying amount of user information, depending on the position(s) they are occupying in the network. The following 
observations reveal various information, in increasing order: !'! 


e Observing the client-to-guard-node network path. 

e Controlling the guard relay, as individual circuits can be examined. 

e Observing the paths to the guard relay and from the Tor exit relay. 

e Controlling the guard and exit relays (or client guard and onion service guard). 

e Controlling both ends of the communication, and able to inject and manipulate traffic patterns. 


Notably, The Tor Project has recently highlighted research that has identified a number of new, low cost, website traffic (fingerprinting) analysis attacks and potential mitigations; 
see Website Oracles for further information. 


Guard Discovery tai 


Advanced adversaries are capable of identifying the guard node(s) in use by an onion service or Tor client. Many connections are made to the onion service, forcing it to create 
multiple circuits until one of the adversary's nodes is chosen as the middle relay (next to the guard). A traffic analysis side channel then confirms the relay is next to the onion 
service, confirming the identity of the service's guard node. The guard node is then compromised, forced or surveilled to discover the actual IP address of the onion service or 
client. 12 


Tor Defenses ait; 


Tor has implemented some defenses against limited adversaries that can gather traffic statistics from Internet routers along the path to the guard node, and is planning defenses 
against website traffic fingerprinting by guard node adversaries. However, a number of other attacks remain viable at present such as end-to-end correlation attacks, alternate 
guard node exploits, circuit fingerprinting attacks and so on. 


Documents ra 


Whonix ™ does not Encrypt Documents by Default ra 


If documents are saved inside Whonix ™, they will not be encrypted by default. This is why it is recommended to apply full disk encryption on the host to protect sensitive data. 
Documents created in Whonix ™ may also have specific file signatures that reveal use of the platform. This issue is currently being further investigated. 


Whonix ™ does not Clear Document Metadata ies 


Numerous file formats store hidden data or metadata inside of the files. For example, text processors or PDF files could store the author's name, the date and time of file creation, 
and sometimes even parts of the file's editing history. The extent of hidden data depends on the file format and the software that is used. 


Image file formats like TIFF [?'°h'”el and JPEG /?'*h'vel are some of the worst offenders. For instance, when these files are created by digital cameras or mobile phones, they contain 
a metadata format called Exif [chive] whose defined tags can include: 


e Date and time information. 

e Occasionally GPS coordinates of the picture. 

e Camera settings: camera model and make (including the serial number), orientation (rotation), aperture, shutter speed, focal length, metering mode and ISO speed 
information. 

e A thumbnail for previewing the picture in file managers, on camera, or in photo editing software. Image processing software tend to keep Exif data intact. 

e Descriptions. 

e Copyright information. 


Notably, the Internet is full of cropped or blurred images where the Exif thumbnail still contains the full original picture. Specialist software [hive] is often required to remove Exif 
tags before safely publishing images. !‘°! 


Be aware that Whonix ™ does not clear file metadata automatically. However, Whonix ™ comes bundled with MAT2 -- the Metadata Anonymisation Toolkit v2 -- as part of the 
design goal to help protect users. 


Email sa 


Whonix ™ does not Encrypt Subject: and other Header Fields of Encrypted Emails ts 


A Unless precautions are taken, the "Subject:" line and other header fields are not encrypted when using OpenPGP encrypted email. 





This weakness is not related to Whonix ™ or the OpenPGP [archive] (w larchivel) protocol; it is for backwards compatibility with the original SMTP protocol [?"°"'vel, Unfortunately, no 
RFC standard exists yet for Subject line encryption. 


TODO: investigate if this situation has improved since Thunderbird native OpenPGP support F#"chivel, 


Those who require OpenPGP encryption with a suitable email client are recommended to use Thunderbird (Mozilla's email client), which includes a graphical front-end for using the 
GnuPG ("GPG") encryption program. 


Fingerprinting rs 
Whonix ™ does not Defeat Stylometry fei: 


Coding Style tesit 

Recent research [chive] has revealed that coders have a unique fingerprint similar to linguistic expressions. Machine learning techniques are capable of de-anonymizing code 
samples, using "abstract syntax trees" that analyze the underlying structure. For instance, a 2017 study found that GitHub coders could be identified with 99 per cent accuracy 
[archive] based on small and incomplete source code fragments. To date, attempts to obfuscate coding style have failed. 


The implication is that "anonymous" developers of open-source projects might be identified by prior non-anonymous code contributions. It is likely that advanced adversaries will 
use this capability to target and de-anonymize developers of popular anonymity and censorship circumvention tools. 


Linguistic Style [edit] 


GD Tip: The warning below equally applies to regular Whonix ™ wiki contributors and forum participants. H^ 





Whonix ™ does not obfuscate an individual's writing style, which is easily fingerprinted based on syntax and other grammatical idiosyncrasies. Unless precautions are taken, 
stylometric analysis based on linguistic characteristics !#"°"’*! is a credible threat. Research suggests only a few thousand words (or less) may be enough to positively identify an 
author, and there are a host of software tools available to conduct this analysis. 


Whonix ™ may have an Unknown Signature ts 


Developers have designed Whonix ™ to be indistinguishable from standard use of the Tor network. However, there may be unknown fingerprinting methods available to ISPs and 
other network adversaries which identify Whonix ™ users. If this is a legitimate concern, then investigate optional configurations which can hide Tor / Whonix ™ use from the ISP. 


Platform Security rs 


Whonix ™ does not Improve Password Strength ts 


Tor promotes online anonymity, while Whonix ™ automatically forces desktop-wide activities through Tor (along with many extra security features). However, neither Tor or Whonix 
™ are one-click solutions for impregnable security or absolute anonymity. 


If weak passwords (passphrases) are used they can be easily determined by brute-force attacks !#"°"'l, whether or not Whonix ™ is installed. In essence, attackers systematically 
try all passwords until the correct one is found, or attempt to guess the key which is created from the password using a key derivation function (an exhaustive key search). This 
method is very fast for short and/or non-random passwords. 


For greater security it is recommended to generate strong and unique Diceware passwords and follow other recommendations concerning safe habits, password generation and 
storage. 


Whonix ™ does not Protect against Compromised Hardware or Advanced Malware tat 


Virtualizers like Qubes, VirtualBox and KVM cannot absolutely prevent the compromise of hardware, nor detect advanced malware. Running all activities inside VMs is a very 
reasonable approach. However, this only raises the bar and makes it more difficult and/or expensive to compromise the whole system. It is by no means a perfect solution. 


Whonix ™ cannot provide protection if the system's trusted computing base [archive] has been compromised by: 


e Physical access and the installation of untrusted pieces of hardware (like a keylogger); 
e Firmware Trojans (including BIOS/UEFI attacks); or 
e Malware. 


If the host system is affected by malware, firmware trojans or malicious hardware components, then every Whonix ™ virtual machine, Tor process and communication thought to 
be anonymous is similarly compromised. 


In the event a system compromise is strongly suspected or confirmed, the ultimate goal is to re-establish a trusted, private environment for future activities -- see Compromise 
Recovery for techniques to recover from host and/or Whonix ™ VM infections. 


Whonix ™ does not Secure the Host ra 


The security of the Whonix ™ platform is itself reliant upon the security of the host. Naturally, a majority are likely to run Whonix ™ on top of the every day operating system without 
making any additional changes. However, safety is materially improved by using a dedicated host operating system solely for Whonix ™ VMs. For better security, this system 
should be configured on a computer bought solely for Whonix ™ activities, and which has never been used before. 


There are a number of recommendations relevant to host OS security in the following Documentation sections: 


e Basic Security Guide. 
e Advanced Security Guide. 
e Computer Security Education. 


The System Hardening Checklist also provides a quick and handy reference guide for specific areas of interest. 


Software ra 


Avoid Non-Freedom Software teag 


A For system privacy, freedom and security it is strongly advised to not install proprietary !#"*"'”el, non-freedom /'¢'vel software. Instead, use of Free Software [@"n'vel js 
recommended I#'*h'vel| As Free Software pioneer Richard Stallman [archive] puts it: 


e "... If you run a nonfree program on your computer, it denies your freedom; the main one harmed is you. ..." 
e "Every nonfree program has a lord, a master -- and if you use the program, he is your master.“ 


e "To have the choice between proprietary software packages, is being able to choose your master. Freedom means not having a master. And in the area of computing, 
freedom means not using proprietary software." 


Or as the GNU project lrehive] puts it [15]: 


° Proprietary Software Is Often Malware [archive] 


° Nonfree (proprietary) software is very often malware (designed to mistreat the user). Nonfree software is controlled by its developers, which puts them in a position of power over the users; 
that is the basic injustice [@'ch'vel. The developers and manufacturers often exercise that power to the detriment of the users they ought to serve. 


° This typically takes the form of malicious functionalities. 
° Some malicious functionalities are mediated by backdoors. 


° Backdoor: any feature of a program that enables someone who is not supposed to be in control of the computer where it is installed to send it commands. (Note by editor: "Most times without 
user awareness or consent.") 


The GNU project created a list with examples of Proprietary Backdoors [?"ehivel, The Electronic Frontier Foundation !"°"'"¢l (EFF) has other examples of the use of backdoors 
[archive] 

Open Source software ?'"'vel like Qubes, Linux [erehive] and Whonix ™ larchive] ig more secure than closed source !#'"'el software. The public scrutiny of security by design [@'chivel 
has proven to be superior to security through obscurity "cel, This aligns the software development process with Kerckhoffs' principle [2'C"'vel - the basis of modern cipher 
[archive] systems design. This principle asserts that systems must be secure, even if the adversary knows everything about how they work. Generally speaking, Freedom Software 
projects are much more open and respectful of the privacy rights of users. Freedom Software projects also encourage security bug reports, open discussion, public fixes and 
review. 


Possible risks associated with using non-freedom software: 


e Vendor lock-in and abandonware: Your data is saved in obfuscated formats that depend on a closed software package. If the company goes out of business or they decide 
to change the format down the line, you are held hostage to these companies and need to pay up to access it. In contrast, FLOSS (Free/Libre and Open Source Software) 
uses open, documented file formats and popular abandoned software projects have a much higher chance of finding a new developer. 

e DRM: Publishing companies treat their customers like thieves and severely limit what they can do with media they purchased. 





e Malware: Potential advanced malware in the software itself that is not easily reversed or discovered. 

e Freedom Restrictions and Privacy Invasion: No ability to change or disable undesirable privacy violating features like telemetry because of licensing restrictions and absence 
of source code. It is extremely rare that anti-features are added by FLOSS developers because it is antithetical to the community culture and easily remedied if discovered 
by others who can fork the software and fix it. 


e Privacy Breaches: Proprietary software is notorious for harvesting user data and monetizing it with advertisement networks which themselves have been used as malware 
delivery networks by malicious customers. 


e Third Party Dependencies: Software that depends on third party servers could access identifying information for payments or logins linked to real identity. 
e More defects per line: While FLOSS software isn't automatically security bug free, it objectively has less defects per lines of code compared to proprietary software.!"© 





Even as a non-developer, a user's attention, suggestions and testing is a valuable public service and further strengthens the libre alternatives which will stay available to 
everyone indefinitely. It is in the user's interest to support FLOSS and decentralization to keep free computing alive and to curtail abusive monopolist practices and influence. 
Even if the FLOSS package's functionality is lacking in the short-term (this is very rare nowadays with FLOSS leaving proprietary in the dust), these can always be improved, but 
the drawbacks of proprietary software listed above are intrinsic to their mode of development and is not something that can change for the better. 


For more information on installing third-party Libre software [chive] consult the Install Software page. 
See also: Is It Ever a Good Thing to Use a Nonfree Program? lerchive] 
Related: Why Whonix ™ is Freedom Software 


Table: Finding Backdoors in Freedom Software vs Non-Freedom Software 


binaries) available) 


Usually not using obfuscation [ehe] (anti-disassembly, anti-debugging, anti-VM !7)) 


Price for security audit looking for backdoors 





Difficulty of spotting a "direct" backdoors !2°! [291] [30] 


Difficulty of spotting a bugdoor |°*! 
Third parties can legally software fork !#"°"'"el release a patched version without the backdoor 


Third parties can possibly make (possibly legally questionable) modifications such as disabling serial 


Third parties can find logic bugs in the source code 
Third parties can find logic bugs in the disassembly 
Can benefit from worldwide wisdom of the crowd 


Third parties can benefit from debug symbols [erchivel during analysis 


Display source code intermixed with disassembly 


Effort to audit subsequent releases 
forum discussion [@"chivel 


Spotting backdoors is already very difficult in Freedom Software where the full source code is available to the general public. Spotting backdoors in non-freedom software, 
obfuscated binaries is much exponentially more difficult. #2! [49] [44] [45] [46] [47] [48] [49] 





To further improve the situation in the future, the Freedom Software community is working on the Reproducible Builds ['°'v¢! project. Quote: 


Reproducible builds are a set of software development practices that create an independently-verifiable path from source to binary code. 


Whilst anyone may inspect the source code of free and open source software for malicious flaws, most software is distributed pre-compiled with no method to confirm whether they correspond. 
This incentivises attacks on developers who release software, not only via traditional exploitation, but also in the forms of political influence, blackmail or even threats of violence. 


This is particularly a concern for developers collaborating on privacy or security software: attacking these typically result in compromising particularly politically-sensitive targets such as dissidents, 
journalists and whistleblowers, as well as anyone wishing to communicate securely under a repressive regime. 


Whilst individual developers are a natural target, it additionally encourages attacks on build infrastructure as an successful attack would provide access to a large number of downstream computer 
systems. By modifying the generated binaries here instead of modifying the upstream source code, illicit changes are essentially invisible to its original authors and users alike. 


The motivation behind the Reproducible Builds project is therefore to allow verification that no vulnerabilities or backdoors have been introduced during this compilation process. By promising 
identical results are always generated from a given source, this allows multiple third parties to come to a consensus on a “correct” result, highlighting any deviations as suspect and worthy of scrutiny. 


This ability to notice if a developer has been compromised then deters such threats or attacks occurring in the first place as any compromise would be quickly detected. This offers comfort to front- 
liners that they not only can be threatened, but they would not be coerced into exploiting or exposing their colleagues or end-users. 


Several free software projects "chiel already, or will soon, provide reproducible builds. 


Always Verify Signatures ts 


For greater system security, it is strongly recommended to avoid installing unsigned software. Always make sure that signing keys and signatures are correct and/or use 
mechanisms that heavily simplify and automate this process, like apt-get upgrades. 


As a reminder, digital signatures are not a magic bullet. While they increase the certainty that no backdoor was introduced by a third party during transit, this does not mean the 
software is absolutely "backdoor-free". Learn more about this process and what digital signatures prove. 


TOF w 


Tor Exit Relays can Eavesdrop on Communications tea 


A The Tor network hides an individual's location, but it does not automatically encrypt communications. 





Instead of taking a direct route from source to destination, communications using the Tor network take a random pathway through several Tor relays to help cover the user's tracks. 
This means observers at any single point cannot tell both where the data came from and where it is going. 


Figure: How Tor Works !°°! 
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A Tor connection usually goes through 3 relays with the last one establishing 
the actual connection to the destination server 


The last relay on the three-hop circuit is called the Tor exit relay. It is the critical relay that establishes the actual connection to the destination server. By design, Tor does not 
encrypt the traffic between a Tor exit relay and the final destination. This means any exit relay is in a position to capture any traffic passing through it. To protect against snooping 
by the Tor exit relay, end-to-end encryption should always be used. [®1] 


Malicious exit nodes have previously been used to spy on sensitive communications. For example, in 2007, a security researcher monitored the connections coming out of an exit 
relay under their control and intercepted thousands of private e-mail messages [ehel sent by foreign embassies and human rights groups around the world. (w [#"ch'vel), 


While browsing, sending email or chatting online, it is recommended to utilize the necessary tools bundled with Whonix ™ to enforce strong encryption. Refer to the Documentation 
for necessary steps to remain safe. °?! 


Use of Tor Is Obvious tesy 


Tor tries to prevent attackers from learning what destination websites are being connected to. 


Both the ISP and a local network administrator can easily check if connections are made to a Tor relay and not a normal web server. In how far it is possible to hide that, see Hide 
Tor use from the Internet Service Provider. 


The destination server contacted through Tor can learn whether the communication originates from a Tor exit relay by consulting the publicly available list of known exit relays. For 
example, The Tor Project Tor Bulk Exit List tool [archive] could be used for this purpose. 


Based on this information, Whonix ™ users will not appear to be a random Internet user is used to prevent the telltale signs of Tor use. The strong anonymity provided by Tor and 
Whonix ™ is based on trying to make everyone look exactly the same, so it is not possible to identify a specific individual in the larger user pool. 


Ultimately, stronger protection requires a social approach; the larger the pool of Tor users (in close proximity) and the more diverse [#"°"'Y! their interests, the less likely it will be that 
a specific individual can be identified. Convincing others to use Tor will help the larger anonymity-minded community. °°! 


Persistent Tor Entry Guard Relays can Enable Physical Location Tracking ei 


What are Tor Entry Guards? If this is an unfamiliar term, please press on Expand on the right. [Expand] 


Many well known enhanced anonymity designs such as Tor, Whonix and the Tor Browser Bundle (TBB) use persistent Tor guards. This decision is attributable to community-based 
research which demonstrates that persistent Tor entry guards benefit security and lower the probability of an adversary profiling a user.°°! 


E Note: Guard fingerprinting techniques are similar to methods that track users via MAC addresses. If this is a realistic threat, then MAC address randomization is also 


recommended. 





In general, users should not interfere with Tor guard persistence or the natural rotation of entry guards every few months. At the time of writing, the Tor client selects one guard 
node, but previously used a three-guard design. Guards have a primary lifetime of 120 days.!°”! [58] [59] 


A Warning: In some situations it is safer to not use the usual guard relay! 





Guard Fingerprinting ta 
While natural guard rotation is recommended, there are some corner cases in which an adversary could fingerprint the entry guards [°°! and de-anonymize a user. For instance: 


e The same entry guards are used across various physical locations and access points. 
e The same entry guards are used after permanently moving to a different physical location. 


For details on how this is possible, press Expand on the right. [Expand] 


There are several ways to mitigate the risk of guard fingerprinting across different physical locations. In most cases, the original entry guards can also be re-established after 
returning home: 


e Clone Whonix-Gateway ™ (sys-whonix) with New Entry Guards. 

e Regenerate the Tor State File after Saving the Current Tor State. 

e Configure Tor to use Alternating Bridges. 

e If moving to a new location permanently, create Fresh Tor Entry Guards by Regenerating the Tor State File. 


Forum discussion: 
https://forums.whonix.org/t/persistent-tor-entry-guard-relays-can-make-you-trackable-across-different-physical-locations/2090 [archive] 


For more information, see the advanced topic Configure Non-Persistent Entry Guards. 


Tor cannot Protect Against a Global Adversary s 


A global, passive adversary is defined as a person or entity who is able to monitor the traffic between all the computers in a network at the same time. By studying the timing and 
volume patterns of the different communications across the network, it is statistically feasible to identify Tor circuits and thus match Tor clients with destination servers. 


In order to create a low-latency communication service which is usable for web browsing, Internet chat or SSH connections, The Tor Project has made a security trade-off and has 
not attempted to address this threat. 


For more expert information on this topic, see Tor Project: The Second-Generation Onion Router [erchive], (w larchivel) part 3. Design goals and assumptions. 


Whonix ™ Persistence vs Live vs AmMNne@SIC «i 


Depends on whether the user is using a live operating system or Host Live Mode or not. 
VM Live Mode} Host Live Mode | Whonix ™ on USB 


When not using a live operating system or Host Live Mode: 

As for any software, if any software is downloaded or used on a computer, local traces of the download, installation and use will be left on the device's mass storage device (hard 
drive, HDD, SSD). This normal mode of operation is being refereed to as persistent mode since any files downloaded, documents created, etc. would still persist after reboot. 

Any created files will still exist after the computer is powered-off or rebooted, unless steps are taken to securely wipe the files to remove all signs of their existence. When not using 
VM Live Mode or Host Live Mode, there are no special measures to limit what is written to disk. Therefore, there may be evidence of activity in created files, backup files, 
temporary files, swap, chat history, browser history and so on. 


Those using VM Live Mode inside Non-Qubes-Whonix ™ virtual machines (VMs) should be aware that although writes go to RAM instead of the HDD/SSD, traces of activity may 
be left in swap files, core dumps or via other configurations on the host. If this is considered an issue, see Anti-Forensics Precautions, or better, use Host Live Mode. !©4! [83] 


Since persistent mode is probably at least partially used by most users, it is recommended in documentation to use multiple VM Snapshots and to apply Full Disk Encryption on the 
host. Encrypting everything, including data, system and swap partitions provides a higher level of security. 


When using live operating system or Host Live Mode: 

See page Host Live Mode for details. 

Live DVD / USB 

If you are interested in installation of Whonix ™ on USB, see Whonix ™ on USB. 

At the time of writing Whonix ™ does not offer a Live DVD / USB, although this situation may change in the future, see Whonix-Host. 


Whonix ™ Development rs 


Missing Whonix ™ Features is 


Whonix ™ is currently alpha quality software and missing some features, including those relating to security. While many issues listed below are planned for future implementation, 
a number will probably never get "fixed" because they are impossible to address in a software-only project. 


Table: Missing Whonix ™ Features 


Category Missing Feature or Capability 


Adversaries Protect against global network adversaries. 

AppArmor Apply AppArmor profiles for every process or application. [8# 
Backdoors Protect against hardware or software backdoors. 

Encryption Encrypt a user's data, documents, files and so on. 


Hardening Use all the possible hardening options like full PIE and grsecurity. 


P Protect against local adversaries who could mount cold boot and evil maid attacks, or otherwise compromise a user's physical machine. 
MAC : r : TEN ? 
Address Automatically protect against MAC address fingerprinting on public networks. 


Passwords Make weak passwords stronger. 


er e Wipe RAM on shut down. See Idea #30076: Enhancy Privacy/Security, Wipe RAM on shut down, reboot and trigger [@""'vel, 
e Wipe video RAM on shut down. See Tails -erase video memory on shutdown /@'chivel, 


Security Automatically apply security updates. This was a conscious developer decision because automated updates also come with their own set of security problems. 


Updates However, whonixcheck provides notifications about updates on Whonix-Workstation ™. 
Software ae ee ee 
Alack: Protect against highly skilled software attacks, unless physical isolation or Qubes-Whonix ™ is utilized. 


Stylometry |Obfuscate an individual's linguistic style to defeat stylometric analysis. 


e Provide protection by default if Tor is somehow broken. This situation is partially mitigated (with caveats) by chaining Tor with SSH, proxies or VPNs. 


Ti ; 
i e Disguise the use of Tor by default - it has been assessed this goal is difficult beyond practicality. 
nee Protect those who: fail to read the Documentation, engage in unsafe behaviors, or change default settings without knowing the implications. 
iy TM 
ee Have deterministic builds, see Dev/Archived Discussions. [89] 


This list is likely incomplete. It is strongly encouraged to read the rest of the Documentation and perhaps the Design chapter to have a full overview of Whonix ™ security, including 
the list of supported and unsupported features. 


Contributors who want to help improve Whonix ™ security should join the discussions on Dev/Archived Discussions, or on the developer mailing list. 


Whonix ™ is a Work in Progress esi 
Whonix ™, as well as all the software it includes, are under continuous development and might contain programming errors or security holes -- Stay Tuned to Whonix ™ 
development, and do not rely on the platform for strong anonymity. 


That said, Whonix ™ has a strong foundational design [chive] since it uses both the Isolating Proxy and Transparent Proxy concepts. Since Whonix ™ was founded in 2012, no 
anonymity leaks or proxy bypass problems have yet been discovered. Whonix ™ has been developed with great care, but it is impossible to ever prove that it is absolutely "leak- 
proof" or free of mistakes that degrade the goals of the extended project description. (w [2"cn'vel) 


Basic functionality is built-in and Whonix ™ can be used to browse the web and host onion services, use email, IRC, SSH, and a host of other activities. Development is ongoing 
and more features are continually being added. Contributors who want to join the development process are most welcome; see Patches are Welcome. A complete list of open 
issues is available on the Whonix ™ issues tracker [@'chivel, 


See also: Whonix ™ Protection Against Real World Attacks, Security Reviews and Feedback and Security Overview. 


Unsubstantiated Conclusions rs 


Users must be careful not to draw incorrect conclusions based on the existence of specific Whonix ™ communication channels, community software utilized, applications installed 
on the platform, or the availability of certain wiki entries. Whonix ™ tries to use concise language so that users are not misled into believing anything has been implied. Despite this 
effort, users will sometimes draw false conclusions in an unintended way. Consider the following hypothetical discussion. 


Developer: Donations to Whonix ™ are possible via Bitcoin. 


Whonix ™ user: Since you are knowledgeable about Bitcoin, can you also accept Monero donations? 


In this case the hypothetical developer did not state "| am knowledgeable about Bitcoin", but rather concisely stated "Donations to Whonix ™ are possible via Bitcoin." The 
conclusion drawn by the user "Since you are knowledgeable about Bitcoin" might be totally unsubstantiated. 


In a similar fashion, just because Whonix ™ does something -- like providing a telegram 
Non-endorsement. A list of further examples is outlined below. 


Table: Facts vs. False Conclusions 


Fact |©°! False Conclusion [8] 


Whonix ™ provides a Bitcoin (BTC) donation address. | Bitcoin is anonymous. 





channel [archive] __ it does not follow that Whonix ™ endorses it; see also Terms of Service: 


‘More Information 


Anonymous Money 





Whonix ™ provides a Monero (XMR) donation : 
Monero is perfect. 
address. 


Anonymous Money 








The Whonix ™ website is using popular web k p 
a hee yar These are perfectly "secure 
applications (web apps) like MediaWiki !@"ch'vel | 
: (for whatever purpose, threat 
Phabricator [archive] and Discourse "el (forum 
model) web apps. 

software). 








In an ideal world, better web apps would be used but this is not possible due to finite 
Whonix ™ resources. To learn more, see: Privacy on the Whonix ™ Website. 





Whonix ™ provides downloadable VirtualBox builds. _|_ VirtualBox is secure. 


Whonix ™ is available for Windows hosts. Windows is a suitable host. 





VirtualBox isn't an ideal choice but there are reasons for maintaining VirtualBox support. 


Windows Hosts pose numerous security and privacy threats. 





Whonix ™ is installable on macOS hosts. macOS is a suitable host. 





: l Whonix ™ is a Freedom 
Whonix ™ is Freedom Software. 





Software 'maximalist' project. 


macOS Hosts pose numerous security and privacy threats. 
See also: 
e Dev/nonfree; 


e Forum discussion: Whonix host - nonfree blobs - firmware-linux-nonfree [chive]; and 
e Whonix ™ and Free System Distribution Guidelines (GNU FSDG) 2'chivel, 








Whonix ™ provides a telegram channel ?'*"'vel support 


channel. respecting, secure messenger. 


Twitter is a safe platform to 
There is an official Whonix ™ twitter profile [@"ch'vel, ij g 
utilize. 





The whonix.org forum and 


whonix.org has a public forum [e"ehivel, a aos 





intended to promote free 
speech. 


Whonix ™ must/should 


Whonix ™ is Open Source. implement all ideas from the 





community. 





It is also recommended to consult the following resources: 


e list of forum posts regarding the Whonix ™ project philosophy [erehivel, 
e Linux User Experience versus Commercial Operating Systems; and 
e the underpinning Rationale for this chapter. 


| Telegram is a perfect, privacy- 


See footnote. l68] 


Official Whonix ™ Online Profiles 


Unfortunately, running a free speech platform is a full-time job and would constitute a 
separate project in itself. This is simply not possible as a side project. For further details, 
see: Limitations on Free Speech on Whonix Website and Whonix Chat. 


See: Community Feedback / Patches are Welcome 





See also: Do Not Draw Wrong Conclusions. 


On top of unsubstantiated conclusions it also happens that adherence to "perfectly moral" behavior or an approved ™ set of political/ideological beliefs is expected from the 
Whonix ™ project. However, what counts as "perfectly moral" and the path of attaining therein will always be subjective and disputed among proponents. Such demands include 
"don't allow running Whonix ™ on Windows hosts", "don't have a twitter project account", "don't accept Bitcoin donation", "don't use centralized services such as telegram", "don't 
document X, because of Y". Those disagreeing with our methods and philosophy are welcome to exercise their right to fork [eive] the project under the respective licenses. 


Footnotes ra 


1. 1 Depending on personal circumstances and the Whonix ™ platform in use. 

2. 120 2.1 https://www.sans.org/reading-room/whitepapers/engineering/social-engineering- 
means-violate-computer-system-529 [archive] 

. T https://en.wikipedia.org/wiki/Man-in-the-middle_attack [@"chivel 

. | HTTPS here refers to encrypted connections, whether it is (inferior) SSL or TLS. 

. t Source: Comodo: The Recent RA Compromise !erehive] (w larchively 


. t Source: The Tor Project: The DigiNotar Debacle, and what you should do about it [archive] (w 
larchivel) 


OOA W 


. î This is one reason why self-authenticating onion services (.onion) connections are superior 
to HTTPS, because they do not rely on the flawed CA system for confirmation of the 
destination server. 

. T Onion Services are automatically encrypted end-to-end. More specifically, connections 
remain within the Tor network at all times. 

. t Quoted from wikipedia Man-in-the-middle_attack [archive] (w larchivel) and Tor Project: 
Detecting Certificate Authority compromises and web browser collusion [archive] (w larchive]) 

10. 

‘11: 

12. 

13. 


+ https://blog.torproject.org/tor-security-advisory-relay-early-traffic-confirmation-attack [archive] 
+ http://www.webcitation.org/6EUyoQu9N [archive] 

q 12.0 12.1 hitos://blog.torproject.org/tors-open-research-topics-201 8-edition Prehivel 

+ For example, the XKeyscore |?'“"'vel program is actively targeting Exif information for 
collection. 

14. t Who should also prefer v3 onion connections to Whonix ™ infrastructure whenever 
possible. 

T Changed "back door" to "backdoor". 


+ https://www.techrepublic.com/article/open-source-vs-proprietary/ [archivel 


15. 
16. 


17. 1 https://resources.infosecinstitute.com/topic/anti-disassembly-anti-debugging-and-anti-vm/ 


[archive] 


18. t An Open Source application binary could be obfuscated in theory but depending on the 
application, the context (it's not an Open Source obfuscators) that would be highly suspicious. 
An Open Source application using obfuscators would probably be criticized in public, get 
scrutinized, loose user trust. 

19. + Because for non-freedom software which is usually only available as pre-compiled, possibly 


obfuscated binary (using an anti-decompiler): 


o auditors can only look at the disassembly and cannot compare a pre-compiled version 
from the software vendor with a self-compiled version from source code. 
o there is no well written, well commented, easily readable by design source code. 


20. 
21. 


+ Since there is no source code, one cannot self-build one's own binary. 


t 


o small: for non-reproducible builds (or reproducible builds with bugs) 
o none: for reproducible builds 


22. 
23: 


+ License agreements of proprietary software often expressively forbid decompilation. 

+ Skype used DMCA (Digital Millenium Copyright Act) to shut down reverse engineering of 
Skype [archive] 

24. î Decompilation is always legal, permitted in the license agreements of Freedom Software. 
25. t 250 25.1 This is very difficult since nowadays by default most outgoing connections are 
encrypted by default. At some point the content must be available to the computer 
unencrypted, in plain text, but accessing that is not trivial. When running a suspected 
malicious application, one cannot trust local traffic analyzers such as wireshark since the 
malicious application might have compromised the host operating system and hiding that 
information from the traffic analyzer or through a backdoor. An option might be running the 
application inside a virtual machine but many malicious applications actively attempt to detect 
virtual machines and if detected, avoid doing malicious things to avoid detection. Ultimately 


this might be possible, but very difficult. 


26. 


27. 


28. 


29. 
30. 


31. 
32. 


33. 


34. 
35. 


36. 


37. 


38. 


39. 


40. 


41. 


42. 


43. 


+ One has to decompile the binary and read "gibberish" or try to catch malicious traffic 
originating from the software under review. How many people decompiled for example 
Microsoft Office and kept doing that for every upgrade? 

î One can: 


1. Audit the source code to be free of backdoors. 

2. Compare the precompiled binary with a self-build binary, audit the difference. 
Ideally, and in future, no difference (thanks to reproducible builds project) or 
small difference (due to non-determinism introduced during compilation such as 
timestamps). 


+ "direct" backdoor: Such as a hardcoded username and password or login key only known by 
the software vendor. No plausible deniability for the software vendor. 

+ List of “direct” backdoors in wikipedia [erehivel, 

+ One interesting “direct” backdoor was this bitcoin copay wallet backdoor. 


o If more than 100 BTC, steal it. Otherwise, don’t bother. 


o https://www.synopsys.com/blogs/software-security/malicious-dependency-supply-chain/ 
[archive] 
o https://github.com/dominictarr/event-stream/issues/116 [archive] 


o https://github.com/dominictarr/event-stream/issues/116#issuecomment-44 1759047 
[archive] 


î Requires strong disassembly auditing skills. 

t If for example hardcoded login credentials where in the published source code, that would 
be easy to spot. If the published source code is different from the actual source code used by 
the developer to compile the binary, that difference would stand out when comparing pre- 
compiled binaries from the software vendor with self-compiled binaries from by an auditor. 

î bugdoor: A vulnerability that can be abused to gain unauthorized access. Provides plausible 
deniability for the software vendor. See also Obfuscated C Code Contest l@rcnivel, 

+ Such issues are hard to spot in the source code but even harder to spot in the disassembly. 
+ Forbidden in license agreement. Due to lack of source code, no serious development is 
possible. 

+ Since source code is already available under a license that permits software forks and 
redistribution. 

î This entry is to differentiate from above legally software fork. Precompiled proprietary 
software is often modified by third parties such as for purposes of privacy, game modding, 
exploitation. 

+ For example, Intel ME could not be disabled in Intel CPUs yet, neither is there a Freedom 
Software re-implementation of Intel Microcode at time of writing. 
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o objdump [chive] with parameter -S / --source 
o How does objdump manage to display source code with the -S option? Prehive] 


+ One could review the disassembly but for subsequent releases that’s duplicating the effort. 
The disassembly isn’t optimized to change as little as possible or to be human 
understandable. If the compiled added new optimizations, compilation flags changed, that 
creates a much bigger diff "hiel of the disassembly. 
î After the initial audit of a source-available binary, one can follow changes of the source 
code. To audit any newer releases, an auditor can compare the source code of the initially 
audited version with the new version. Unless there was a huge code refactoring or complete 
rewrite, the effort the audit subsequent versions is lower. 
+ The assembler low level [chive] programming language is more difficult than other higher 
level abstraction !@'*"'Y*l programming languages according to most people saying discussing 
it on the internet. Example web search terms: assembler easy , assembler easier , 
assembler difficult . 
+ Source code written in higher level abstraction programming languages such as C and C++ 
are compiled to object code [@'chvel using a compiler. See this article [archive] for an introduction 
and this image |?'°"'vel, Source code written in lower level abstraction programming language 
assembler is converted to object code using an assembler. See same article and this image 
[archive]. Given a reasonably complex program that was written in C or C++, where the source 
code is unavailable, reverse engineering is very difficult. That can be deducted from the high 
price for it. It is possible decompile (meaning re-convert) the object code back to C with a 
decompiler such as for example Boomerang !#*h'vel, Quote Boomerang: Help! I've lost my 
source code [@'chive] which is putting a price tag on it: 


How much will it cost? 

You should expect to pay a significant amount of money for source recovery. The process 
is along and intensive one. Depending on individual circumstances, the quality, quantity 
and size of artifacts, you can expect to pay upwards of US$15,000 per man-month. 


o https://unix.stackexchange.com/questions/229802/convert-executable-back-to-c-source- 
code [archive] 


44. 


45. 


46. 


47. 


48. 


49. 
50. 


51. 


52. 
53. 


54. 


+ Try to solve the question of how to disassemble a binary (byte code) into assembly source 
code and re-assemble (convert) to binary? 


o Tricks to Reassemble Disassembly [@'chivel 
o https://stackoverflow.com/questions/6327862/ida-pro-asm-instructions-change [@"hivel 


o Why there are not any disassemblers that can generate re-assemblable asm code? 
[archive] 


o https://reverseengineering.stackexchange.com/questions/3203/recompile-the-asm-file- 
ida-pro-created [archive] 
o https://www.researchgate.net/publication/323249543 Superset_Disassembly_Statically_Rewritin 


[archive] 


o https://gist.github.com/jarun/ea47cc31f1b482d5586138472139d090 [archive] 
o How to disassemble a binary executable in Linux to get the assembly code? [erehive] 
o Use GCC and objdump to disassemble any hex to assembly code [archive] 


1. Take a hello world assembler source code. 2. Assemble. 


nasm -felf64 hello.asm 


3. Link. 
Id hello.o -o hello 
4. objdump (optional). 


objdump -d hello 


5. Exercise for the reader: disassemble hello and re-assemble. 


+ The GNU Hello [?"*h'vel program source file hello.c [@'°h'vel at time of writing contains 
170 lines. The objdump -d /usr/bin/hello on Debian buster has 2757 lines. 


hello. 
1. Update the package lists. 


Install 


sudo apt-get update 


2. Upgrade the system. 


sudo apt-get dist-upgrade 


3. Install the hello package. 


Using apt-get command line parameter --no-install-recommends is in 
most cases optional. 


sudo apt-get install --no-install-recommends hello 


The procedure of installing hello is complete. 





objdump -d /usr/bin/hello 
ZA 


ZU S 7 


} See for example how difficult it was to reverse engineer Skype. Skype Reverse 
Engineering : The (long) journey ;).. [a"chivel 
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o Take all the Debian package maintainer scripts. Are these easier to review as is, most of 
them are written sh or bash orif these are converted to a program written in C, 
closed source, precompiled? 

o Do we prefer if OnionShare stays written in python, Open Source or do we prefer the 
project turned into a precompiled binary? 


î salary comparison 


o low - median - high 

o python @rchivel: 77 - 92 - 108 

o python [archive]: 54 - 79 - 107 

o C [archive]: 56 - 80 - 100 

o C [archive]: 49 - 80 - 112 

o malware reverse engineering "ehel; 101 - 124 - 149 
o Assembler [archive]; 84 - 104 - 131 

o Malware Analyst [archive]; 75 - 115 - 141 


+ How much does a security audit cost reverse engineering vs source-available? 

+ Source: Tor: Overview "hel License: Creative Commons Attribution 3.0 United States 
License [archive] 

+ For example, a HTTPS or onion service (.onion) connection. 

+ Source: Tor FAQ: Can exit relays eavesdrop on communications? 2'"'vel (w [archively 

+ Attribution: Two sentences in this chapter have been forked from the Tor [@'chivel (vy larchively 
website, which was licensed under a Creative Commons Attribution 3.0 United States License 
[archive] (w larchivel) at the time of writing. 

î Even though the attacker can't discover the user's destinations in the network, they still 
might target a list of known Tor users. 


55. 1 Source: 62. t Unix-like operating systems also swap (move) memory pages between host RAM and the 


torproject.org What are Entry Guards? lerchive] (w larchive}) host disk [rehivel, and this behavior cannot be prevented in Whonix ™ VMs. The danger is 
license [archive] (w [archive}); data leakage might occur and an unencrypted swap partition could reveal interesting data to 
Content on this site is Copyright The Tor Project, Inc.. Reproduction of content is permitted an attacker or be used to store unencrypted copies of files in /mp for later retrieval. 
under a Creative Commons Attribution 3.0 United States License [@'chivel (w larchivel) | All use 63. 1 
under such license must be accompanied by a clear and prominent attribution that identifies http://www.linuxtopia.org/online_books/linux_administrators_security_guide/O6_Linux_File_System_ar 
The Tor Project, Inc. as the owner and originator of such content. The Tor Project Inc. [archive] 
reserves the right to change licenses and permissions at any time in its sole discretion. 64. + Although a full system MAC policy is currently in development, see here [chive] for further 
56. 1 The risk of guard fingerprinting is less severe now that upstream (The Tor Project) has details. 
changed its guard parameters to decrease the de-anonymization risk. 65. 1 Although Tor now has deterministic builds, see Bug 3688 [archive], 
57. + Prop 291 indicates a 3.5 month guard rotation. 66. + Things that were really stated. 
58. 1 The Tor Project is currently considering shifting to two guards per client for better anonymity, 67. + Things which were not said or implied. 
instead of having one primary guard in use. 68. t Some criticisms of Telegram. 
59. + https://github.com/torproject/torspec/blob/master/proposals/291-two-guard-nodes. txt [archivel 


o New releases are squished into a single commit, see: one commit 2"°"'vel, 


o It is impossible to sign up without a phone number. 
[archive] o There are other concerns, but they are irrelevant for illustrating the point being made 
here. 


60. t The entropy associated with one, two or three guards [archive] is 9, 17 and 25 bits, 
respectively. 
61. t https://metrics.torproject.org/relayflags.html 
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By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See 
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